Privacy and Data Security Client Alert | January 2019
Going Deep on the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) has been called the beginning of America’s GDPR. As the most comprehensive privacy law in the United States, entities doing business in California need to ensure they are in compliance or risk severe penalties. Stay tuned for our upcoming webinar as we tackle the CCPA in soup-to-nuts fashion. For more information, please contact Al Saikali or Camila Tobón.
U.S. Supreme Court to Address Standing in Data Privacy Settlement
Following the U.S. Supreme Court’s request, the parties in Frank v. Gaos completed supplement briefing on the question of standing in the case, which stems from an $8.5 million privacy settlement of a class action regarding Google’s alleged unauthorized disclosure of search queries with third parties. The trial court approved the settlement before the Court announced its ruling in Spokeo v. Robins, and the question is now whether merely alleging a statutory violation (without a more concrete injury) is sufficient to provide standing.
Read the full article at Bloomberg Law >>
Data Security Lawsuit Filed by Investors Against Marriott
On December 1, 2018, Marriott investors filed a complaint in the Eastern District of New York alleging that the hotel chain “misled” them about the security of its data storage systems. The lawsuit (and many others that followed) stems from the November 30, 2018, announcement that hackers stole the personal data of 500 million guests from Marriott’s reservation system, beginning as early as 2014.
Read the full article at The New York Times >>
Australia Passes Controversial Encryption Bill
Framing the move as an anti-terrorism measure, the Australian Parliament voted to approve a law that would require technology companies to provide law enforcement and security agencies with access to encrypted communications. It was opposed by civil-rights activists and tech companies as overbroad and vague, and on the basis that it could hurt business because customers would doubt promises to protect encrypted data.
Read the full article at The New York Times >>
D.C. Attorney General Alleges Facebook Fell Short of Duty to Protect User Data
In a lawsuit filed on December 19, 2018, the Washington, D.C., attorney general filed a complaint against Facebook alleging that the company “failed to protect the privacy of its users and deceived them about who had access to their data and how it was used[.]” The lawsuit stems from the Cambridge Analytica scandal that broke in March 2018; the company obtained the personal data of nearly 87 million individuals around the world without their knowledge and later used that data to target voters in the 2016 U.S. presidential election.
Read the full article at The Washington Post >>
Twelve State Attorneys General File Joint Lawsuit Against Medical Records Companies Over Cybersecurity Practices
On December 4, 2018, in a landmark filing, the attorneys general of Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin jointly alleged in an Indiana federal court that a May 2015 cyberattack on WebHealth, an electronic health record application, resulted in unauthorized access of over 3.9 million records containing personal health information. The complaint alleges that poor cybersecurity practices led to the breach, which constituted a “violation of the state consumer protection, data breach, personal information protection laws and federal HIPAA statutes[.]”
Read the full article at SC Media >>
European Commission Releases Report on Second Joint Review of the Privacy Shield Mechanism
The European Commission released its official report on the second U.S. and EU joint review of the Privacy Shield data transfer mechanism on December 20, 2018. The Commission, while noting that the United States has taken many steps over the past year to strengthen the mechanism, stressed that it expects the United States to appoint a permanent ombudsperson to handle national security complaints by February 28, 2019. To date, the position has been filled by a temporary ombudsperson within the U.S. State Department.
Mercy Health Class Action Dismissed For Lack of Actual Data Breach
The mere possibility that a third party could improperly access personal health information is not enough to confer standing under the U.S. Supreme Court’s 2016 decision in Spokeo v. Robins, an Ohio federal court has found.
Read the full article at Global Data Review >>
Google Faces Fines Under GDPR For Its Location-Tracking Feature
Google is facing complaints filed by consumer groups in seven European countries that follow on the heels of the revelation that the company is able to track a user’s location even when the “Location History” option is turned off. Fully disabling the function requires users to disable a second “Web and App Activity” setting, which is enabled by default. The consumer groups claim that Google is using “deceptive practices” to get users to enable both settings and that consent to track the user’s location is not given freely.
Read the full article at The Verge >>
New Dutch Wi-Fi Tracking Guidance Released
The Dutch data protection authority has released guidance limiting the circumstances in which an individual may be tracked through Wi-Fi. Among other requirements, the guidance states that Wi-Fi tracking should only be used in situations where personal data processing is beneficial, e.g., as a safety measure.
Read the International Assocation of Privacy Professionals' article >>
Brazil Adopts Provisional Measure Establishing National Data Protection Authority
On December 27, 2018, outgoing president Michel Temer adopted Provisional Measure No. 869 of 27 December 2018 providing for the creation of a Brazilian data protection authority (called the ANPD based on its Portuguese acronym).
Read the full article at ZDNET >>
Two BIPA Lawsuits Dismissed for Lack of Article III Standing
A federal court dismissed two class actions based on alleged violations of the Illinois Biometric Information Privacy Act (BIPA). The court held that the plaintiffs knew or should have known that their finger-scan information was being collected and therefore lacked standing under Article III. The lawsuits may be refiled in state court, where most BIPA cases are pending, and the Illinois Supreme Court is expected to issue a decision on whether a plaintiff must show more than a technical violation of BIPA to establish standing in state court.
Read the full articles at Gizmodo and Bloomberg Law >> (subscription required)
California Sues The Weather Company Based on Data Collection Practices
The State of California sued The Weather Company for allegedly misleading users of its app about why their geolocation data was needed. According to the lawsuit, The Weather Company informed users that it collects the data to personalize alerts, but it did not tell users that the information is sold to advertisers.